dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1055
share rss forum feed

cmslick3

join:2004-05-24
Joliet, IL

Cisco ASA VPN help

I need some help coming up with a VPN solution which works with the Cisco ASA devices, I believe our main office is a 5510, and remote locations are all 5505.

Here's the scenario:
My employer has agreed to monitor some RF equipment (repeaters) which have been installed in various buildings across the US. This means the end devices need to be able to send us SNMP traps. We also need to be able to remotely access the repeaters from our main office without having them sit out on the public internet (VPN). The complication is that we are not going to be able to order a dedicated DSL/T1 type connection to these building because the IT department where the RF equipment is located feels it is unnecessary. What they are giving us is a port to connect to which will give a DHCP address on their public usage LAN.

The solution I need:
I need a VPN solution using the ASA devices above which will build a site to site VPN between our HQ router and the remote router automatically. Basically I need to be able to take a router into any building, plug it in and have the VPN connect to our office with no config changes needed at the remote end. This solution needs to be able to handle the following conditions:
1. The remote location doesn't have a static IP, or we don't know what the static IP is before deploying the router.
2. The IP of the remote router may change at any time.
3. The tunnel must be bi-directional once terminated and active.
4. The possibility of NAT between the router and the gateway on the remote side.
5. Must use IPSEC.

Does anyone know if this is technically possible with the Cisco devices I mentioned above? Is there a link to some possible configurations? I have tried to Google this type of VPN but I am not sure exactly what it would be called so the results didn't seem to match my need.


HELLFIRE
Premium
join:2009-11-25
kudos:16

May want to request the Mods move this to the Cisco forum if you want this to be with Cisco (ASA) equipment.

That being said, your entire list can be fulfilled by the ASA. What you're looking for is a site to site VPN config, basically.

From a config side, generally you have to define a crypto policy -- encryption and hash algorithm goes here, then define
the VPN peer details, and you should be off to the races.

Regards


cmslick3

join:2004-05-24
Joliet, IL

If this should be moved to the Cisco forum please do so mods.

I have been a asking our it department for this solution for some time now and they tell me it's not possible...


aryoba
Premium,MVM
join:2002-08-22
kudos:4

I'm unsure what considerations that warrant your IT department in saying such solution is impossible. Site-to-Site IPSec VPN is standard practice at lots of places and your ASA is certainly capable to support. Here is a sample configuration from this forum's FAQ as illustration.

»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

For stable connectivity, it is highly suggested to have dedicated Public IP address from ISP and static IP address on LAN side. Getting static Public IP address from ISP should not be a financial burden nor impractical.


cmslick3

join:2004-05-24
Joliet, IL

Their issue is the fact that we won't have our own static ip and they don't want to allow any ip to connect to our offices which is what would be required. They want known ips on both ends.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

Site-to-Site IPSec VPN technical minimum requirement is to have static Public IP address at your main office for the ASA 5510. The remote locations ASA 5505 are not required to have static Public IP address, though it is suggested to use one to maintain stable connectivity especially when you are doing SNMP-based monitoring where you don't want to have false alerts due to ever-changing dynamic IP address.

I'm unsure why you won't have static Public IP address. Is it because financially burdening, or is it because your ISP is unable to provide one?



Paulg
Displaced Yooper
Premium
join:2004-03-15
Neenah, WI
kudos:1
reply to cmslick3

without being able to get static IPs at the remote end, I'd look towards DMVPN.



MrTwister
Premium
join:2003-09-27
Hilliard, OH
reply to cmslick3

I can back up aryoba's answer.

As long as you have one static public IP address
(preferably at your head-end (HQ)), you're golden.

We have a few thousand work-at-home users
(running VMWare View), who we send out a 5505,
and it calls home to one of our two data centers
to nail up a VPN to the 5550's (fail-over-pair) in
each.

The end users 5505's are dynamic IP's various
ISP's and various bandwidths (with a stated
minimum required as the we're traffic shaping
the VPN tunnel to support both the PCoIP traffic
and VoIP traffic for the C6941 hanging off
the 5505.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to cmslick3

I've done exactly this for "the tradeshow box" -- an ASA with an AP ziptied to the top of it. It is litterally a plug-n-go setup (as long as the hotel does DHCP and doesn't block the IPsec traffic.) NAT isn't necessary, or recommended. Each remote site inside network will have to have a unique subnet, but that's not a big deal. In your case, the remote ASA's will be behind something else doing NAT, so the HQ 5510 won't be able to initiate the L2L vpn, but it shouldn't be an issue.

Short answer: it's totally doable by someone versed in ASA VPNs.


HELLFIRE
Premium
join:2009-11-25
kudos:16
reply to cmslick3

To the OP, that answer your question, or you need to get into the nitty gritty and get some hardware / configs?

Regards